U.S. Suspicions of China's Huawei Based Partly on NSA's Own Spy Tricks

U.S. spies suspect Huawei of being able to embed computer exploits because they've already done it themselves

Fears of Chinese espionage based on "back doors" built into computer hardware have prompted the U.S. government to block China's technology giant Huawei from doing business on U.S. shores. Such suspicions may come in large part from the knowledge that U.S. spies have already learned how to install similar "back doors" in computer hardware and software.

The NSA allegedly launched an operation code-named "Shotgiant" in 2007 aimed at uncovering any possible ties between Huawei—a company that likes to boast of how its routers and switches connect a third of the world's population—and China's military, known as the People's Liberation Army, according to the New York Timesand Der Spiegel. Operation Shotgiant also aimed to compromise and exploit Huawei's technology so that the NSA could infiltrate the computer networks of Huawei customers in "high-priority target" countries such as Iran, Afghanistan, Pakistan, Kenya, and Cuba.

John Bumgarner, chief technology officer at the U.S. Cyber Consequences Unit, a non-profit research institute, tells IEEE Spectrum that the NSA's primary objective "was most likely to identify information that could confirm their suspicions about Huawei relationship with the PLA." He adds that a secondary objective was probably to acquire Huawei source code and hardware designs. "This information would be thoroughly analyzed for possible backdoors that were embedded by Huawei and for any zero-day vulnerabilities"—previously unknown flaws that can be exploited—"that the NSA could use to gain a tactical advantage in their operations worldwide," he says.

NSA documents leaked by former contractor Edward Snowden show how the NSA's Tailored Access Operations unit had succeeded in infiltrating computer servers in Huawei's headquarters in Shenzhen, China by 2010. The success allowed the agency to spy on email communications for Huawei employees, including Ren Zhengfei, founder of Huawei, as well as steal the source code for specific Huawei products that could be used to exploit those products for espionage or cyberwarfare purposes.

The New York Times withheld technical details on exactly how the NSA had compromised Huawei's servers in response to national security reasons cited by the Obama administration. But a leaked NSA "spy catalog" made available on Cryptome, a website that publishes government and corporate documents, does show how the agency had already succeeded in installing software back doors in certain Huawei hardware, such as firewalls and routers, as early as 2008. The NSA catalog also reveals exploits for computer hardware belonging to U.S. companies such as Dell.

"The exploits in the NSA catalog actually mirror what the U.S. has been accusing Huawei of potentially doing to their products," Bumgarner says.

A joint NSA and CIA operation targeting Huawei products appears under the code name "Turbopanda" in several software exploits described by the NSA catalog. One persistent backdoor software implant named "Headwater" targets Huawei routers so that the NSA could monitor Internet traffic passing through them. Another backdoor software implant called "Halluxwater" targets Huawei's Eudemon series of hardware firewalls—computers that guard an organization's internal network from the rest of the Internet.

Both Headwater and Halluxwater get installed inside the router's boot ROM—the very first level of code executed by a device when it first powers up or gets rebooted. To install the implants, NSA operatives simply transmit the spyware remotely over the Internet to a target Huawei router or introduce the spyware to a Huawei firewall as a boot ROM update.

The NSA catalog also listed hardware exploits that basically demonstrate what the U.S. has long claimed Huawei might slip inside its own products to provide back doors for Chinese cyber attacks or espionage. One series of hardware implants known as "Cottonmouth" can be installed inside the USB plugs of keyboards or other USB connectors.

Other NSA hardware exploits include hardware implants for Dell and Hewlett-Packard servers. Such implants must be installed in person by NSA operatives during an "interdiction" process described by Der Spiegel. That means the NSA intercepts certain shipping deliveries of new computers or related accessories so that it can load spyware or install hardware components that provide back door access for U.S. intelligence agents later on.

"These specialized devices require someone to physically touch a specific piece of hardware to insert the NSA-designed component," Bumgarner says. "It's highly unlikely that these components are being embedded during manufacturing, which means that they're being installed after the hardware is in either the supply chain or maintenance cycle."

This all may give the U.S. the appearance of the pot calling the kettle black when it has blacklisted Huawei based on suspicions that the Chinese company could introduce hardware exploits similar to what U.S. spies have already carried out. But the U.S. government has defended its spy activities by drawing a distinction between what the NSA does for U.S. national security reasons and Chinese corporate espionage aimed at stealing U.S. technologies for the benefit of China's state-owned companies.

"We do not give intelligence we collect to U.S. companies to enhance their international competitiveness or increase their bottom line," says Caitlin M. Hayden, a White House spokeswoman for the National Security Council. "Many countries cannot say the same."

There is no solid evidence that Huawei has in fact installed hardware back doors in its products that could be used for either state intelligence or corporate espionage. Huawei has also repeatedly denied any ties to the Chinese military as it portrays itself as the victim of U.S. protectionism aimed at keeping it out of the U.S. market. But the recent revelations about the NSA's efforts to find such a link indicate that the U.S. remains wary of the Chinese company.

Part of the mistrust stems from the history of Chinese corporate espionage and intellectual property theft targeting U.S. companies. In 2003, Cisco accused Huawei of copying source code and user manuals related to certain Cisco networking equipment such as routers and switches. The two companies eventually settled the legal case for an undisclosed financial amount and with Huawei promising to revise some of its software.

The other reason for U.S. wariness toward Huawei is because it's extremely time-consuming and cost-prohibitive to check every piece of Huawei equipment sold to defense contractors or to companies that provide critical services such as running power grids. Bumgarner, of the U.S. Cyber Consequences Unit research institute, says that if the U.S. eased restrictions on Huawei and the company sold some hardware to a defense contractor, it's possible that Huawei could embed malicious components in a few pieces of equipment, which could then be activated by an official firmware upgrade. The activation mechanism could be designed to only fire when a specific piece of hardware and a specific company matched. Such a scenario is something that the NSA has shown to be technically possible in practice.

"What this catalog shows you is what the U.S. government is worried about," Bumgarner says. "And that is that Huawei could be physically modifying their hardware and that any modifications are nearly impossible to identify."

The Tech Alert Newsletter

About the Tech Talk blog

IEEE Spectrum’s general technology blog, featuring news, analysis, and opinions about engineering, consumer electronics, and technology and society, from the editorial staff and freelance contributors.